Understanding the Potential Costs of Cyber Breaches

A researcher inspecting for computer viruses at Hauri Inc., an IT security software vendor on March 21, 2013 in Seoul, South Korea. A cyber attack on the computer networks that run three South Korean banks, two broadcasters and an internet service provider in South Korea had been traced to an IP address in China.

The number of companies purchasing cyber insurance continues to increase. Although this shows that more companies recognize the existence of cyber exposures, it is not clear how many organizations appreciate the potential business impact of a cyber incident.

Our analysis indicates that the exposure facing many organizations eclipses the risk transfer programs they have implemented. Those organizations may have accepted the potential for larger losses because they think it is unlikely they will be successfully attacked.The following examples illustrate how costs can climb.

Retail: According to our data, retailers with revenues between $5 billion and $20 billion will buy, on average, an aggregate cyber limit of $23 million. However, a hypothetical retailer in that bracket may have a much greater exposure than that average limit. Consider a $12 billion retailer with 75 million in credit and debit card records.

Retail Exposure for a 1-in-100 Event (US$)

Analysis suggests that the organization’s data-breach exposure for a 1-in-20 likelihood event would potentially exceed $42 million. However, a less frequent but more severe event with a 1-in-100 likelihood could result in an exposure of more than 21 million records. Under the more severe incident, costs could exceed $340 million, or nearly 15 times the average limits purchased. Such an event could create an enterprise-threatening risk, even before accounting for the risk to reputation.

Higher Education: In the education sector, our data indicates that a university with an operating budget of $1 billion purchases, on average, cyber insurance with a limit of $5 million. As an illustrative example, consider a university with an operating budget of $1 billion and 5 million personally identifiable information records.

Higher Education Exposure for a 1-in-100 Event (Us$)

A 1-in-20 breach for this profile could result in costs of more than $10 million. A less frequent but more severe event, again at a 1-in-100 likelihood, could result in the exposure of more than four million records and incur costs of more than $30 million, or more than six times the average limits.

Health Care: Our data indicates that a $3 billion health care company buys, on average, $11 million in cyber insurance limits. Although many health care institutions may surpass that figure, the average demonstrates that many more run the risk of being significantly underinsured against large data breaches. Consider a health care provider with revenue of $3 billion and 5 million personal health information records.

Healthcare Exposure for a 1-in-100 Event (Us$)

A company with this profile can expect costs amounting to nearly $22 million for the 1-in-20 event. A more severe breach, the 1-in-100 occurrence, could see costs top $60 million, leaving almost $50 million in uninsured costs.

This material is extracted from A Cybersecurity Call to Action, prepared by Marsh & McLennan Companies in cooperation with The Chertoff Group, November 2014.